Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

The Node-Forge cryptography library has released version 1.4.0 to patch a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, it triggers an infinite loop within the Extended Euclidean Algorithm. This unreachable exit condition causes the Node.js process to hang indefinitely while consuming 100% CPU, creating a straightforward vector for service disruption.

The vulnerability was reported by a researcher known as Kr0emer and has been assigned a GitHub Security Advisory (GHSA). The affected component is a core part of the library's big integer arithmetic, used in various cryptographic operations. The patch in version 1.4.0 resolves the logic error, preventing the infinite loop condition. This update is a direct security fix, as indicated by its placement at the top of the changelog for this release.

This vulnerability poses a significant risk to any application or service that uses the Node-Forge library for cryptographic tasks and processes untrusted input that could trigger the `modInverse()` function with a zero argument. The high-severity rating underscores the ease with which an attacker could cause a complete service stall. Developers and security teams must prioritize upgrading to node-forge 1.4.0 to mitigate this denial-of-service risk and ensure application stability.